What is continuous authentication?
Continuous authentication is a method of confirming a customer’s identity in real time when they are banking. Typically, this happens when a customer is using their mobile phone or desktop, or an ATM, or when they are in a branch. It includes their banking session from beginning to end, or from login to logout. Continuous authentication relies on continuous data processed by a risk engine that applies the appropriate level of authentication during the entire session. This makes it possible for a financial institution to continuously confirm that the legitimate bank account owner is in fact the person transacting on the account – and not a fraudster. Continuous authentication happens throughout all events, such as checking a balance, making a wire transfer, or adding a payee, as the customer progresses through their banking session.
Continuous authentication uses multiple streams of data to allow the risk engine to be able to evaluate and recognize a customer’s unique movements and patterns during their banking session. The customer doesn’t notice that their location, device, environment, keyboard cadence, and more, are being compared to a profile of how they normally interact with their phone and their banking application as part of their user experience.
Continuous authentication also allows a risk engine, which is the core of a fraud prevention system, to monitor and analyze all data related to the banking session, the customer, and their device, to determine the probability of fraud. The risk engine is continuously assigning a risk score in real time to each action that’s taking place during the banking session.
With continuous authentication, the customer’s behavior is continually assessed without their direct participation until the behavior departs from their normal activity, resulting in additional layers of security. The precise level of security is applied at the right time and can mean that the customer is unaware of the security being performed in the background on their behalf. However, it also allows financial institutions to reduce friction for legitimate banking sessions by decreasing the authentication required for genuine interactions, giving the customer a smooth experience.
How continuous authentication works
Banks and other financial institutions can use continuous authentication as part of their anti-fraud strategy. Data can be collected from many different components of a customer’s session with their bank and can be anything from how they interact with their mobile devices, such as swipe patterns and keystroke dynamics, to their location. It can even be things such as what else is happening within the device at the time the customer is using it. All of this information helps to develop a data profile of the user. Fraud risk analytics can then readily detect any deviation from this pattern and react accordingly.
Continuous authentication does not increase the time the customer spends on authentication, provided their behavior pattern does not deviate from their accepted pattern. If it does, the anti-fraud system will challenge the user with step-up authentication. As noted, the authentication mechanism will not interrupt the customer after logging in unless necessary.
With continuous authentication, data profiles work with the financial institution’s risk engine, to provide the most accurate risk score to help detect fraud. This allows financial institutions to determine and apply authentication requirements that match the relative risk of the transaction as it is taking place. An advanced rule engine will filter out fraudulent events that meet specific criteria, but it can’t keep up with the complexity of fraud attacks. When combined together, machine learning and a rule-based system can cover a wide attack space. Continuous authentication technology can spot the moment at which security needs to be stepped up, or a transaction stopped, to help prevent fraud based on a real-time risk assessment.
There are many varieties of data sources that the banking application (mobile, desktop, ATM or branch) can provide to the risk engine. One example is behavioral biometrics, which has a wide definition of its functionality. Behavioral biometrics can be user interactions within a mobile application such as how you hold the phone, or your swipe patterns. But it can also be user patterns and how the customer interactions with the bank such as the time of day or where they are. Behavioral biometrics add to the creation of a customer data profile that is used by the risk engine.
Continuous authentication can use different types of behavioral biometrics
Behavioral biometrics work behind the scenes looking at how a customer behaves with their device to identify their unique pattern of behavior, continuously authenticating them during their banking session to ensure they are the legitimate user. Behavioral biometric authentication compares a customer’s current behavior against past behavior stored in their profile. The greater the similarity between the profile and the current pattern of behavior, the less a bank needs to be concerned about their identity and intent.
In the case of an unknown person remotely applying for a new bank account, a behavioral biometrics security solution can also compare their behavior to what is typical for a wider population, which results in a score evaluating the probability that the person performing the actions is not a bot or computer program gaining unauthorized access. With behavioral biometrics, a person’s behavior with their device helps determine the level of authentication needed based on the level of risk.
Types of behavioral biometrics used for continuous authentication:
- How you hold your phone: The dominant hand you use when on your phone and the angle at which you hold your phone are analyzed with behavioral biometrics.
- How you type and how fast you type determine your keystroke rhythm.
- The amount of finger pressure that you use when you are typing can be put it into a recognizable pattern, which can help prevent identity theft and reduce the risk of online fraud.
- Swipe or scroll patterns look at whether you swipe right or left on the touchscreen of your device and how you scroll up or down on your device.
- Your gait, or how you walk, is also a behavioral trait that can be studied for a pattern.
How continuous authentication helps prevent fraud
Continuous authentication’s can spot anomalies in a customer’s established pattern of user behavior with their device and their bank. In addition, behavioral biometrics can detect malware, such as bots that can capture a person’s keystrokes to reveal their banking information, because the bot’s movements would be different from a person’s keystrokes.
When suspicious behavior is detected, financial institutions can request additional authentication from the user to challenge the login access or banking transactions taking place. If the user can pass the security hurdle and authenticate, they can proceed. If they cannot, the process is stopped, and the fraud is prevented.
The threat landscape is always changing with the number of attacks and data breaches increasing, providing challenges to cybersecurity while giving fraudsters plenty of opportunities. With continuous authentication, financial institutions have an opportunity to lower their vulnerability to many attack vectors and cybersecurity threats.
As a result of COVID-19, there has been a sharp increase in fraud attacks. According to Aite Group, “One large FI executive says that his FI had previously forecast an 8% decrease in fraud in 2020 and has revised that projection to a 10% to 15% increase in fraud for the year, and he says most peer banks have done the same.” Continuous authentication helps reduce fraud because it goes far beyond verifying a customer’s identity at login or when they are doing a transaction. It’s important to note that behavioral biometrics can be difficult for fraudsters to beat at this time because they provide continuous signals about the authenticity of the customer based on behavior.
Behind the Scenes with Continuous Authentication: The Role of Machine Learning and Fraud Rules
Machine learning algorithms can analyze very large amounts of transaction data that would be difficult and time consuming for analysts to review. The algorithms take into account the customer’s location, device, network, and other data. All of this data builds a detailed portrait of each transaction, flagging suspicious transactions from an attacker or a bot in real time based on risk scores that are highly accurate. Depending on the risk score, there can be an immediate authentication challenge presented based on behavioral patterns, if needed. A customer could be asked to enter a one-time password (OTP) generated by their authenticator device or delivered by push notification, for example. Or, if the risk level is very high, the customer could be asked for a facial scan for user authentication. If they cannot successfully authenticate, the banking interaction or transaction is stopped.
Additionally, a risk score can also include the user’s history of security incidents, number of logins, and the sensitivity of the data to be accessed. The reason that an authentication score is based on a combination of many contextual and other data points is because one data point on its own can and will be beaten by an attacker. However, many access requests fall below the defined risk thresholds and do not require additional authentication.
Machine learning will also look at the data elements of a customer’s device, for example, and will look at how the device is used, its age, if it is a shared device, what biometric methods and authentication methods are subscribed to that device, among others. It can also reduce human bias and alert fatigue by only presenting highly unusual events and transactions to a fraud expert. A low-risk transaction (such as a balance check from a known device) would require no additional validation, and higher-risk transactions (such as a large transfer from a jailbroken device in a new location) would trigger additional authentication steps. A jailbroken device is a phone that has been modified so that changes can be made to it that aren’t supported by the software in its default state.
While machine learning algorithms can spot emerging attack scenarios due to their strength in detecting anomalies, an anti-fraud system that uses fraud rules can only detect known fraud attacks, which could include a phishing attack or credential stuffing. This is why rule libraries are so lengthy because as a new fraud attack is identified, a rule is built and added, driving the need to maintain hundreds or even thousands of individual rules. However, an advanced rules engine will filter out fraudulent events meeting specific criteria and will catch transactions with amounts that deviate from a normal scenario. It alerts the system to step up authentication, but a rule-based system can’t keep up with the complexity of fraud attacks. And, rule libraries keep on expanding, putting pressure on the system, slowing operations and increasing the false positives rate. However, when a rules-based system is combined with machine learning, the two together provide strong capabilities to detect a wide array of fraud attempts.
How continuous authentication helps customer experience
Continuous authentication remains in the background as the customer does their banking, establishing a continuous risk profile for the session, which can change with each action by the customer or their device. Not only does this allow the financial institution to take real-time action when anomalies are detected, it also allows the bank to reduce friction for legitimate banking sessions. The user experience is smooth while also diminishing the threat of an attack, enhancing usability.